Federal Regulators Crack Down on Financial Institutions Allowing “Off-Channel” Communication

June 13, 2023 Advisory

Since late 2021, U.S. federal regulators have fined financial institutions over $1 billion for allowing employees to conduct business using “off-channel” communication, which is defined as digital and electronic communication conducted using channels outside the company’s approved and controlled systems. 

Initially, the regulatory push was primarily directed at the largest Wall Street banking organizations, such as JP Morgan Chase and Citigroup, but recently large regional banking organizations, such as KeyCorp and Fifth Third, have announced they are facing similar investigations.

The publicly announced fines and investigations – initiated by the U.S. Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) – have been directed at the investment arms of the target companies; however, the legal concerns and risk issues driving the regulatory initiative appear relevant to all banks and to traditional banking functions. 

Off-Channel Communication

Generally, financial institutions require employees to use approved digital/electronic communication systems, such as the company email system, for business-related communication. These systems are built with cybersecurity protection controls and are set to meet required record retention standards. 

However, for the sake of convenience, employees may circumvent these controlled systems and resort to using off-channel communication when conducting business. Employees with bad motives may even opt to use off-channel methods to conceal business communication from supervisors, auditors or regulators. 

Typically, off-channel communication can be conducted using personal cell phones for texting, personal email accounts or messaging services like WhatsApp to communicate about business matters with co-workers and customers.

Prevalence of Off-Channel Communication in the Banking Industry

In our current digital, post-pandemic communication age with remote work as a new normal, even the smallest community banks likely have significant risk that employees may be using off-channel communication for business purposes – such as texting customers about loan terms, documents or disclosures.

Risks with Off-Channel Communication

The use of off-channel communication involves a variety of risks for banking organizations, including:

  • Legal and compliance risk:
  1. compromised ability to respond to information requests from regulators, creating risk of examination citations, enforcement actions and penalties for failure to produce records, failure to follow record-keeping requirements and failure to follow information security standards to protect confidential records;
  2. compromised ability to respond to discovery requests and subpoenas to turn over off-channel communication, creating risk of sanctions and other negative litigation fallout;
  3. inability to control adherence to document retention schedules, potentially leading to large amounts of discoverable documents accumulating in off-channel sources and significant cost and time to retrieve those documents per subpoena or court order; and
  4. increased risk of noncompliance with e-communication laws, such as the federal CAN-SPAM Act and the E-Sign Act, depending on the facts.
  • Cybersecurity risk: lack of protections against attacks on data stored in off-channel communications; and lack of control of business data stored in off-channel communications for purposes of data retention and purging. 
  • Operational risk: inability to monitor, review, audit or control business communications using off-channel methods; and violations of bank policy creating inconsistencies in how business is conducted.  

Basis of Recent Off-Channel Communication Fines

The recent SEC and CFTC actions alleged violations of regulatory record retention requirements that ensure investigator access to business records. The actions also alleged violation of internal company records retention and data security rules. 

All banks are subject to similar types of rules mandating retention of certain types of records for designated periods of time, such as rules governing anti-money laundering and consumer lending.[i] In addition, many state bank regulatory authorities have broader-based record retention rules.[ii] Also, banks are required by state and federal law to provide bank examiners with access to bank business records and to implement information security programs and records retention programs.[iii]

Options to Address Off-Channel Communication Problems

Addressing the risks posed by off-channel communication is challenging, because abruptly stopping it may not be practical and could put the bank and its employees at a disadvantage in the market.

Banks may want to consider vendor products that can be used to route communication (such as business-related texts from personal cell phones) through a company-controlled application to capture and retain the communication. 

Of course, any solution would need to involve a system to audit communication practices to identify off-channel communication and related regulatory and policy violations.  

Bank Regulators and Off-Channel Communication

Although the federal bank regulators – Federal Reserve, Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency and Consumer Financial Protection Bureau (CFPB) – have not publicly announced enforcement actions targeting off-channel communication recently, they have indicated in prior guidance that banks must implement communication systems that control business information to avoid security breaches and ensure examiner access to bank records.[iv]

Ironically, the CFPB recently addressed its own scandal involving an employee who was engaged in a form of off-channel communication by sending emails with records identifying over 200,000 financial institution customers to his personal email account. However, that incident is unlikely to deter the bank regulatory authorities from following the lead of the SEC and CFTC in attacking the use of off-channel communication for bank business.

Seasoned bankers are familiar with the pattern of exam focus issues starting with the larger banks, then trickling down to the mid-sized banks and, finally, to smaller community banks. Off-channel communication may be headed down that path.  

[i] E.g., 31 CFR 1010.400-440; 12 CFR 1002.12; 12 CFR1026.25. 

[ii] E.g., 20 CSR 1140-2.140 (Missouri rule).

[iii] 12 USC 481; 12 USC 1820(b) and (c); 12 USC 248(a); Sections 361.160 and 362.410 RSMo; 12 CFR Part 30 App. B; 12 CFR Part 364 App. B; 12 CFR Part 208 App. D-2.

[iv] Id.; see also OCC Comptroller’s Handbook: Bank Supervision Process, Appendix B; FDIC Basic Examination Concepts and Guidelines, Section 1.1; Federal Reserve Commercial Bank Examination Manual, Section 1000.1.

Contact Us
  • Worldwide
  • Boston, MA
  • Chicago, IL
  • Denver, CO
  • Dublin, Ireland
  • Edwardsville, IL
  • Jefferson City, MO
  • Kansas City, MO
  • Las Vegas, NV
  • London, England
  • Miami, FL
  • New York, NY
  • Orange County, CA
  • Philadelphia, PA
  • Princeton, NJ
  • Salt Lake City, UT
  • St. Louis, MO
  • Washington, D.C.
  • Wilmington, DE
abstract image of world map
Boston, MA
800 Boylston St.
30th Floor
Boston, MA 02199
Google Maps
Boston, Massachusetts
Chicago, IL
100 North Riverside Plaza
Suite 1500
Chicago, IL 60606-1520
Google Maps
Chicago, Illinois
Denver, CO
4643 S. Ulster St.
Suite 800
Denver, CO 80237
Google Maps
Denver, Colorado
Dublin, Ireland
Fitzwilliam Hall, Fitzwilliam Place
Dublin 2, Ireland
Google Maps
Edwardsville, IL
115 N. Second St.
Edwardsville, IL 62025
Google Maps
Edwardsville, Illinois
Jefferson City, MO
101 E. High St.
First Floor
Jefferson City, MO 65101
Google Maps
Jefferson City, Missouri
Kansas City, MO
2345 Grand Blvd.
Suite 1500
Kansas City, MO 64108
Google Maps
Kansas City, Missouri
Las Vegas, NV
7160 Rafael Rivera Way
Suite 320
Las Vegas, NV 89113
Google Maps
Las Vegas, Nevada
London, England
Royal College of Surgeons of England
38-43 Lincoln’s Inn Fields
London, WC2A 3PE
Google Maps
Miami, FL
355 Alhambra Circle
Suite 1250
Coral Gables, FL 33134
Google Maps
Photo of Miami, Florida
New York, NY
7 Times Square, 44th Floor
New York, NY 10036
Google Maps
New York City skyline
Orange County, CA
19800 MacArthur Boulevard
Suite 300
Irvine, CA 92612
Google Maps
Philadelphia, PA
2005 Market Street
29th Floor, One Commerce Square
Philadelphia, PA 19103
Google Maps
Philadelphia, Pennsylvania
Princeton, NJ
100 Overlook Center
Second Floor
Princeton, NJ 08540
Google Maps
Princeton, New Jersey
Salt Lake City, UT
222 South Main St.
Suite 1830
Salt Lake City, UT 84101
Google Maps
Salt Lake City, Utah
St. Louis, MO
7700 Forsyth Blvd.
Suite 1800
St. Louis, MO 63105
Google Maps
St. Louis, Missouri
Washington, D.C.
1717 Pennsylvania Avenue NW
Suite 400
Washington, DC 20006
Google Maps
Photo of Washington, D.C. with the Capitol in the foreground and Washington Monument in the background.
Wilmington, DE
1007 North Market Street
Wilmington, DE 19801
Google Maps
Wilmington, Delaware